Purview DLP Activity File Copied To Remote Desktop Session

# Microsoft Purview - DLP - File copied to remote desktop session ## Query Information ### MITRE ATT&CK Technique(s) | Technique ID | Title | Link | |--------------|-------------------------------------|----------------------------------------------------| | T1021.001 | Lateral Movement: Remote Desktop Protocol | https://attack.mitre.org/techniques/T1021/001/ | ### Description Use the below query to see Microsoft Purview DLP ***File copied to remote desktop session*** activities #### References - [Learn about data loss prevention](https://learn.microsoft.com/en-us/purview/dlp-learn-about-dlp) - [Get started with activity explorer](https://learn.microsoft.com/en-us/purview/data-classification-activity-explorer) - [Learn about Endpoint data loss prevention](https://learn.microsoft.com/en-us/purview/endpoint-dlp-learn-about) ### Microsoft Defender XDR ```kql CloudAppEvents | where ActionType == @"FileCopiedToRemoteDesktopSession" | extend ObjectId = parse_json(RawEventData)["ObjectId"] | extend Sha = parse_json(RawEventData)["Sha256"] | extend DeviceName = parse_json(RawEventData)["DeviceName"] | extend Application = parse_json(RawEventData)["Application"] | extend PolicyName = parse_json(RawEventData)["PolicyMatchInfo"]["PolicyName"] | extend Justification = parse_json(RawEventData)["Justification"] | project Timestamp, AccountId, AccountDisplayName, IPAddress, DeviceName, ObjectId, Sha, Application, PolicyName, Justification, RawEventData | extend JustificationTextStr = tostring(Justification) | extend justification_id = extract(@"^([^_]+)", 1, JustificationTextStr), justification_description = extract(@"^[^_]+_(.*):", 1, JustificationTextStr), justification_comment = extract(@":(.*)$", 1, JustificationTextStr) | project-away JustificationTextStr | sort by Timestamp desc ``` Find details about the potential Remote Desktop connection that was made during the time frame of the DLP activity (5 minutes) ```kql let DlpEvents = CloudAppEvents | extend dlptimestamp = Timestamp | where ActionType == @"FileCopiedToRemoteDesktopSession" | extend ObjectId = parse_json(RawEventData)["ObjectId"] | extend Sha = parse_json(RawEventData)["Sha256"] | extend DeviceName = tostring(parse_json(RawEventData)["DeviceName"]) | extend Application = parse_json(RawEventData)["Application"] | extend PolicyName = parse_json(RawEventData)["PolicyMatchInfo"]["PolicyName"] | extend Justification = parse_json(RawEventData)["Justification"] | project dlptimestamp, AccountId, AccountDisplayName, IPAddress, DeviceName, ObjectId, Sha, Application, PolicyName, Justification, RawEventData | extend JustificationTextStr = tostring(Justification) | extend justification_id = extract(@"^([^_]+)", 1, JustificationTextStr), justification_description = extract(@"^[^_]+_(.*):", 1, JustificationTextStr), justification_comment = extract(@":(.*)$", 1, JustificationTextStr) | project-away JustificationTextStr | sort by dlptimestamp desc; DeviceNetworkEvents | where ActionType == "ConnectionSuccess" | where InitiatingProcessFileName has "mstsc" | join kind=inner (DlpEvents ) on $left.DeviceName == $right. DeviceName | where abs(datetime_diff("minute", Timestamp, dlptimestamp)) <= 5 | project dlptimestamp, Timestamp, DeviceName, RemoteIP = RemoteIP, RemotePort = RemotePort, AccountId, AccountDisplayName, ObjectId, Sha, Application, PolicyName, justification_id, justification_description, justification_comment, InitiatingProcessFileName, InitiatingProcessCommandLine | sort by dlptimestamp desc ```

Explanation

This query is designed to identify and analyze instances where files are copied to a remote desktop session, which is a potential data loss prevention (DLP) concern. It leverages Microsoft Purview's capabilities to track such activities and is aligned with the MITRE ATT&CK framework, specifically the technique for lateral movement using Remote Desktop Protocol (RDP).

Here's a simplified breakdown of the query:

Identify File Copy Events: The first part of the query filters events from CloudAppEvents where the action type is "FileCopiedToRemoteDesktopSession". It extracts relevant details such as the file's unique identifier (ObjectId), its SHA256 hash (Sha), the device name, the application used, the policy name that was triggered, and any justification provided for the action.
Extract Justification Details: The query further breaks down the justification text into components like ID, description, and any comments provided.
Sort and Display: The results are sorted by the timestamp of the event in descending order, showing the most recent events first.
Correlate with Remote Desktop Connections: The second part of the query looks for successful connection events (ConnectionSuccess) in DeviceNetworkEvents where the initiating process is the Remote Desktop application (mstsc). It joins these events with the previously identified DLP events based on the device name.
Timeframe Matching: It ensures that the remote desktop connection occurred within 5 minutes of the file copy event, indicating a potential correlation between the two activities.
Output: The final output includes details such as the timestamps of both the DLP event and the remote connection, device and account information, file details, policy information, and specifics about the remote connection (IP and port).

This query helps security teams monitor and investigate potential data exfiltration activities via remote desktop sessions, providing insights into who performed the action, what files were involved, and under what circumstances.

Details

Alex Verboon

Released: May 11, 2025

Tables

CloudAppEventsDeviceNetworkEvents

Keywords

MicrosoftPurviewDLPFileRemoteDesktopSessionCloudAppEventsDeviceNameApplicationPolicyNameJustificationAccountIdAccountDisplayNameIPAddressObjectIdShaDeviceNetworkEventsConnectionSuccessInitiatingProcessFileNameInitiatingProcessCommandLineRemoteIPRemotePort

Operators

whereextendparse_jsonprojecttostringextractproject-awaysortletjoinkindonabsdatetime_diffhas

KQL Search